summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorVladimir A Filonov <vladimir@labbler.com>2013-02-23 15:07:21 +0100
committerAymeric Augustin <aymeric.augustin@m4x.org>2013-02-23 16:16:39 +0100
commitf49e9a517f2fdc1d9ed7ac841ace77636cbd6747 (patch)
tree412736a26abc5b88aeac224820be51c381cef2e7 /docs
parenta61dbd62193d036d082fdad4d1af3b48ebec4fb3 (diff)
Fixed #17906 - Autoescaping {% cycle %} and {% firstof %} templatetags.
This commit adds "future" version of these two tags with auto-escaping enabled.
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/deprecation.txt4
-rw-r--r--docs/ref/templates/builtins.txt55
-rw-r--r--docs/releases/1.6.txt28
3 files changed, 75 insertions, 12 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
index 50b9aa3c19..ef9fd31d15 100644
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -323,6 +323,10 @@ these changes.
1.8
---
+* The :ttag:`cycle` and :ttag:`firstof` template tags will auto-escape their
+ arguments. In 1.6 and 1.7, this behavior is provided by the version of these
+ tags in the ``future`` template tag library.
+
* The ``SEND_BROKEN_LINK_EMAILS`` setting will be removed. Add the
:class:`django.middleware.common.BrokenLinkEmailsMiddleware` middleware to
your :setting:`MIDDLEWARE_CLASSES` setting instead.
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index cfc57cc551..149a557356 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -147,9 +147,8 @@ You can use any number of values in a ``{% cycle %}`` tag, separated by spaces.
Values enclosed in single (``'``) or double quotes (``"``) are treated as
string literals, while values without quotes are treated as template variables.
-Note that the variables included in the cycle will not be escaped.
-This is because template tags do not escape their content. Any HTML or
-Javascript code contained in the printed variable will be rendered
+Note that currently the variables included in the cycle will not be escaped.
+Any HTML or Javascript code contained in the printed variable will be rendered
as-is, which could potentially lead to security issues.
For backwards compatibility, the ``{% cycle %}`` tag supports the much inferior
@@ -190,6 +189,22 @@ call to ``{% cycle %}`` doesn't specify silent::
{% cycle 'row1' 'row2' as rowcolors silent %}
{% cycle rowcolors %}
+.. versionchanged:: 1.6
+
+To improve safety, future versions of ``cycle`` will automatically escape
+their output. You're encouraged to activate this behavior by loading
+``cycle`` from the ``future`` template library::
+
+ {% load cycle from future %}
+
+When using the ``future`` version, you can disable auto-escaping with::
+
+ {% for o in some_list %}
+ <tr class="{% autoescape off %}{% cycle rowvalue1 rowvalue2 %}{% endautoescape %}">
+ ...
+ </tr>
+ {% endfor %}
+
.. templatetag:: debug
debug
@@ -257,28 +272,44 @@ This is equivalent to::
{% if var1 %}
{{ var1|safe }}
- {% else %}{% if var2 %}
+ {% elif var2 %}
{{ var2|safe }}
- {% else %}{% if var3 %}
+ {% elif var3 %}
{{ var3|safe }}
- {% endif %}{% endif %}{% endif %}
+ {% endif %}
You can also use a literal string as a fallback value in case all
passed variables are False::
{% firstof var1 var2 var3 "fallback value" %}
-Note that the variables included in the firstof tag will not be
-escaped. This is because template tags do not escape their content.
-Any HTML or Javascript code contained in the printed variable will be
-rendered as-is, which could potentially lead to security issues. If you
-need to escape the variables in the firstof tag, you must do so
-explicitly::
+Note that currently the variables included in the firstof tag will not be
+escaped. Any HTML or Javascript code contained in the printed variable will be
+rendered as-is, which could potentially lead to security issues. If you need
+to escape the variables in the firstof tag, you must do so explicitly::
{% filter force_escape %}
{% firstof var1 var2 var3 "fallback value" %}
{% endfilter %}
+.. versionchanged:: 1.6
+
+To improve safety, future versions of ``firstof`` will automatically escape
+their output. You're encouraged to activate this behavior by loading
+``firstof`` from the ``future`` template library::
+
+ {% load firstof from future %}
+
+When using the ``future`` version, you can disable auto-escaping with::
+
+ {% autoescape off %}
+ {% firstof var1 var2 var3 "<strong>fallback value</strong>" %}
+ {% endautoescape %}
+
+Or if only some variables should be escaped, you can use::
+
+ {% firstof var1 var2|safe var3 "<strong>fallback value</strong>"|safe %}
+
.. templatetag:: for
for
diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt
index 67c032a362..ce1e643946 100644
--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@@ -160,6 +160,34 @@ Backwards incompatible changes in 1.6
Features deprecated in 1.6
==========================
+Changes to :ttag:`cycle` and :ttag:`firstof`
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The template system generally escapes all variables to avoid XSS attacks.
+However, due to an accident of history, the :ttag:`cycle` and :ttag:`firstof`
+tags render their arguments as-is.
+
+Django 1.6 starts a process to correct this inconsistency. The ``future``
+template library provides alternate implementations of :ttag:`cycle` and
+:ttag:`firstof` that autoescape their inputs. If you're using these tags,
+you're encourage to include the following line at the top of your templates to
+enable the new behavior::
+
+ {% load cycle from future %}
+
+or::
+
+ {% load firstof from future %}
+
+The tags implementing the old behavior have been deprecated, and in Django
+1.8, the old behavior will be replaced with the new behavior. To ensure
+compatibility with future versions of Django, existing templates should be
+modified to use the ``future`` versions.
+
+If necessary, you can temporarily disable auto-escaping with
+:func:`~django.utils.safestring.mark_safe` or :ttag:`{% autoescape off %}
+<autoescape>`.
+
``SEND_BROKEN_LINK_EMAILS`` setting
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~